In an effort to further secure the developer accounts and code hosted on its platform, GitHub has announced that its users will need to enroll in two factor authentication (2FA) by the end of next year.
More specifically, anyone that contributes code on the Microsoft-owned platform will need to enable one or more forms of 2FA.
According to a new blog post from GitHub’s chief security officer Mike Hanley, the software supply chain starts with developers and developer accounts are frequently targeted by social engineering and account takeover. By protecting developers from these types of attacks, the company is taking the first and most critical step toward securing the software supply chain.
Going forward, GitHub plans to explore new ways of securely authenticating its users including passwordless authentication. In fact, just last year, the company added the ability to use security keys for authentication as part of its efforts to move towards a passwordless future.
Securing the software supply chain
Back in November of last year, GitHub committed to new investments in npm account security following npm package takeovers that were the result of developer accounts without 2FA enabled that had been compromised.
Although zero-day vulnerabilities get a lot of attention online, lower-cost attacks such as social engineering, credential theft or data leaks are actually responsible for most security breaches.
Compromised accounts on GitHub can be used to steal private code or even to push malicious changes to that code. Unfortunately, not only individuals and their organizations associated with these compromised accounts are at risk but also any users of the affected code.
The best defense against compromised user accounts is moving beyond basic password-based authentication. However, only 16.5 percent of all active GitHub users today and 6.44 percent of npm users use one or more forms of 2FA.
GitHub users have plenty of time to prepare for this change and the company recently launched 2FA for GitHub mobile on iOS and Android. Those interested in learning how to configure GitHub Mobile 2FA can check out this support document to get started.